Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days

CyberNews researchers reported that Ecco, a global shoe manufacturer and retailer, exposed millions of documents.

Original post @ https://cybernews.com/security/ecco-leaks-sensitive-data-for-months/

Ecco, a global shoe manufacturer and retailer, exposed millions of documents. Not only could anyone have modified the data, but the server misconfiguration’s severity likely left the company open to an attack that could have affected customers all over the world.

It’s no use carrying an umbrella if your shoes are leaking, an old Irish proverb says. Words that sum up the recent predicament of Ecco, a Danish shoe manufacturer and retailer with thousands of stores and sales points all over the planet.

Our research team discovered an exposed instance hosting a trove of data for Ecco. The team has identified that Ecco left 50 indices exposed to the public, with over 60GB of data accessible since June 2021.

Millions of sensitive documents, from sales to system information, were accessible. Anyone with access could have viewed, edited, copied and stolen, or deleted the data.

We reached out to Ecco but received no reply before going to press. However, at the time of publishing, the company appears to have fixed the problem.

What happened?

Our research team recently discovered an exposed instance that hosts Kibana, an ElasticSearch visualization dashboard, for Ecco. Kibana allows processing of information on ElasticSearch, a storage facility favored by enterprises dealing with large volumes of data.

Even though the instance hosting the dashboard was protected with a basic Hypertext Transfer Protocol (HTTP) authentication, the server was misconfigured and allowed all Application Programming Interface (API) requests through. Under an umbrella with leaky shoes, indeed.

The misconfigured authentication allowed us to look up the index names on Ecco’s ElasticSearch, revealing 50 exposed indices with over 60GB of data. The exposed servers contain documents ranging from sales and marketing to logging and system information.

According to the team, historical data indicates that the exposed database was left accessible for at least 506 days, since June 4, 2021. Over 35GB of data was added to the exposed database after the server misconfiguration opened a security hole in Ecco’s infrastructure.

“A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage.”Cybernews researchers said.

“Immense damage”

The names of indices on the open server show that millions of documents were revealed. For example, a directory named sales_org contained over 300,000 documents. Another directory, titled market_specific_quality_dashboard, had over 820,000 records.

As the table with exposed indices shows, millions of documents covering various aspects of Ecco’s corporate life were accessible, from performance monitoring to information about system status.

Worryingly, the database appears to be linked with the ecco.com website, likely used by international Ecco websites, thus providing a skilled threat actor with the means to target the company globally.

According to the researchers, the capability to modify the data inside ElasticSearch would be a dangerous tool in the hands of persistent threat actors, allowing them to launch a campaign against Ecco stores, employees, and even clients.

“A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage,” Cybernews researchers said.

Screenshot showing one of the indexes. Image by Cybernews.

Why the misconfiguration discovered by CyberNews is dangerous?

Give a look at the original post published by CyberNews at https://cybernews.com/security/ecco-leaks-sensitive-data-for-months/

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Data Leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.